Global Tips

Preparing for the EU’s Data Protection Regulation

ByStuart Buglass

The European Union’s General Data Protection Regulation has been in the works for a number of years and should be enacted early in 2016. The Regulation will have direct legal effect for all EU member states and will replace the current EU Data Protection Directive, which only acts a guide.

Despite the fact that the Regulation will likely become law in 2016, its applicability and enforcement will be introduced over the course of the next two years. The primary focus of the Regulation is on ensuring that data controllers consider data privacy during each step of the data-handling process. For example, at the point of collection, explicit consent from the data subject is required, and the subject must be provided with a simple means of withdrawing consent. The Regulation also takes a tougher line on sanctions than the Directive.

Given the number of international businesses the Regulation will affect, its launch has been conducted with huge fanfare. It’s critical to note that this publicity has alerted EU residents to their data privacy rights, including the controversial “right to be forgotten” element of the Regulation, which dictates that data controllers must take active steps to ensure that data that is no longer required is erased.

The bottom line is that the need to comply with data protection laws is more pressing than ever. We strongly advise EU data controllers to safeguard themselves against fines and reputational damage by reviewing three key areas of their existing data processing practices.